Audit Issues

System Security and Access Controls

Select a Department

System and Application access capabilities are designed to allow users to log on to a system and/or application to perform functions or tasks necessary for them to do their jobs. There are varying degrees of access that can be granted to users from inquiry only to the ability to update and change system and application programs and data. By not adequately administering and controlling system security and access capabilities, system and application programs and data can be compromised and inappropriate transactions can be processed. System and application owners should develop and implement policies and procedures and adequately train users to ensure that system and application security and access controls are adequate. The following are general guidelines to follow to help in this regard.

1. System users should be trained to secure their access identifications (IDs) and passwords. They should not be written down and left in a location that that is not properly secured. MOST IMPORTANTLY, ACCESS IDS AND PASSWORDS SHOULD NEVER BE SHARED WITH OR USED BY OTHER EMPLOYEES.

2. Individual access IDs and passwords should be unique to the user and should be unusual enough so that others cannot guess what a user's access ID or password may be. For instance do not use your name or the name of a child, telephone extensions, initials, birth dates or other commonly known information. Ideally, access IDs should be at least four digits long and contain both alpha and numeric characters.

3. When users are first granted access to a system or application or when a system or application is upgraded, system administrators may assign users generic passwords.For instance, an administrator may give a new user with the name John C. Doe an ID of JCD1 and will assign them the same password. When the SmartStream Financial Management System was recently upgraded, all users were assigned "password" as their password. Users should change these generic passwords to unique self-assigned passwords immediately.

4. Each user should have only one ID and password. We have noted instances where certain users have two or more IDs and/or passwords.This is redundant and unnecessary and can cause problems with administering and controlling system and application access.

5. When systems or applications are being developed and implemented or upgraded, it is not unusual to provide programmers and consultants with access capabilities that allow them to perform most if not all functions. It is important that the access IDs and passwords for these individuals are terminated prior to putting the system, application or upgrade into production.

6. Throughout the City and the Hartford Public School System (HPSS), employees are regularly being hired, retiring or changing positions and/or responsibilities. It is imperative that, when these employee changes occur, system owners determine the extent of any related changes that are required to access IDs and passwords. When an employee retires or is no longer employed by the City or HPSS all of their access IDs and passwords should be immediately deactivated in all systems and/or applications.In addition, when an employee changes jobs or responsibilities, system owners need to determine if they still need the same access capabilities in their new position and make changes as deemed appropriate. In certain instances, the responsibility for system security administration is shared with the system owner and Metro Hartford Information Services (MHIS). In addition, the Personnel department regularly notifies MHIS of personnel changes including new hires, terminations and moves. It is very important that both MHIS and system owners are notified of any and all employee changes in a timely manner so they can update system security and access accordingly.

7. Many systems and applications have options that provide a certain level of control over access IDs and passwords. These options should be utilized to the greatest extent possible. Some of these options are as follows:

A requirement that users periodically change their passwords. Many systems and applications automatically require users to change their passwords at least annually.A certain amount of time is allowed by the system for users to go in and change their passwords. When passwords are not changed as required, the system may automatically disable the password thereby terminating the user's access to the system or application. If the system or application does not have this option then the system owner should encourage users to change their passwords periodically.

An option that will automatically disable user IDs and passwords if not used for a predetermined period of time. If the system does no do this automatically, then the system administrator should monitor use and delete or change access capabilities as deemed necessary.

The ability to disable a user's access ID and/or password after someone has tried unsuccessfully three or more times to enter a password.

8. Two individuals should be trained to be able to administer system security and access capabilities for each system or application.

To ensure the integrity of the City's/HPSS's systems, applications, programs and data is maintained, it is imperative that system and application owners develop, implement and maintain adequate policies, procedures and controls regarding system security and access.

If you have any questions or concerns regarding security and access controls for any system or application please contact Internal Audit at 543-8568 or MHIS at 695-8411.